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[57] ABSTRACT 

A system and method for managing client authorization to 
access remote data repositories through a middle tier server 
such as a web server. Client remote data repository access is 
intercepted by the middle tier server and the server is 
searched for stored credentials permitting client access to the 
remote data repository. If found, the stored credentials are 
used to authenticate access without further interaction with 
the client system. If no stored credentials are found, the 
server requests credentials from the client and passes them 
to the remote data repository for validation. Validated cre- 
dentials are stored by the server for future use and indexed 
by a client identifier. Permitted remote data repository 
access is stored with the validated credentials. Access to a 
mounted remote file system is not permitted without autho- 
rization even if the remote file system would not otherwise 
require authorization. 

24 Claims, 5 Drawing Sheets 
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User 
Id 


Distinguished 
Name 


Session 
ID 


Credentials/ 
Password 


Access 
drives 


Michael 


CN=Michael,OU=Security, 
0="IBM PSP", L=Austin, 
ST=TX, C=US 




michael.cred 


G: 


Sandy 




FFF04360 


sandy.cred 


H; 


Sandy 


CN=Sandy, OU=Security, 
0="IBM PSP", L=Austin, 
ST=TX, C=US 




sandy.cred 


H: 




Yellepeddy 


CN=Krishna, OU=Security, 
0="IBM PSP", UAustin, 
ST=TX,C=US 




krishna.passwd 


P:, Q: 


Lin 


CN=Lin, CU=Security, 
0='IBM PSP', L=Austin, 
ST=TX,C=US 


FFF04359 


dlin.passwd 


0:, R:, S: 
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MULTIPLE REMOTE DATA ACCESS 
SECURITY MECHANISM FOR 
MULTITIERED INTERNET COMPUTER 
NETWORKS 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The present invention relates to computer implemented 
authorization for access to remote data. More particularly, it 
relates to authentication of computer users for access to data 
managed by remote data repositories. Still more particularly, 
it relates to middle tier server management of multiple client 
access authorization to multiple remote data repositories. 

2. Background and Related Art 

Internet technology has enabled computer users to access 
increasing amounts of data for business and personal pur- 
poses. The "Internet" consists of computers linked to each 
other via a computer network using common communica- 
tion protocols. Most networks implement the TCP/IP 
(transmission control protocol/internet protocol) as a means 
for communication between computers. The computers are 
designated as "client" computers or "server" computers. 
Client computers make requests for data from server com- 
puters according to one of a number of available client/ 
server protocols. Internet users currently favor the Hypertext 
Transfer Protocol (HTTP) because of its ease of use. HTTP 
enables users to select data based on a text or graphical icon 
or image on their client system that represents a link to 
particular remote data. This interlinking of data through 
hypertext links creates a "web" of links that can be navigated 
by the user to access the data he or she desires. 

The basic network structure includes a network server and 
one or more network clients. The network server contains 
software that enables it to respond to requests for data from 
the client machines. Server software includes the Internet 
Connection Server Software (ICS) from IBM Corp., the 
Lotus Domino Server from Lotus Development Corp., the 
Netscape SuiteSpot Server from Netscape Communications 
Corp., and the Internet Server Software from Microsoft 
Corporation. The above server software packages accept a 
request for information from the client system, locate the 
requested data and format and present the data back to that 
client. The data to be returned is typically contained on the 
server computer system or on a computer linked directly to 
that system. 

Client computer systems employ a "browser" comprising 
software necessary for the client system to format a request, 
transmit the request to the appropriate server and then to 
receive and format the response to the user. A number of 
commercial browsers are in use, including Netscape Navi- 
gator and Netscape Communicator from Netscape 
Communications, and the Internet Explorer from Microsoft 
Corp. The use of standardized client/server protocols 
enables any browser conforming to the client protocols to 
communicate with any server having the reciprocal server 
protocol. This flexibility enables independent implementa- 
tion of client and server technologies. 

Communications between the client and server take place 
over communication links such as telephone lines and 
computer to computer telecommunication links that are not 
inherently secure. Users of networked computer systems 
have recognized the need for secure communications 
between the client and server systems as essential for 
applications such as on-line banking, electronic ordering of 
products, and transmission of credit card or other financial 
transactions. Two secure network protocols account for a 
majority of secure transactions over the Internet. 



12,785 
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The Secure Sockets Layer (SSL) protocol was developed 
by Netscape Communications Corp. and initially incorpo- 
rated in its browser and server products. The SSL protocol 
is described in SSL Version 3.0, Internet-Draft, published by 

5 Netscape Communications Corp. in December 1995. This 
protocol is also frequently referenced as the "HTTPS" 
protocol. The protocol specifies the interaction protocol and 
content between a client system and the server system in 
order to establish a "secure" link between the client and 

10 server. The secure link is implemented using encryption 
technology that encrypts the data flowing over the commu- 
nications medium. 

The Secure Hypertext Transfer Protocol (SHTTP) is the 
second popular security protocol. It is described in The 

35 Secure HyperText Transfer Protocol — Version 1.1, Internet- 
Draft 35, Enterprise Integration Technologies, December 
1994. This protocol is built upon the basic HTTP protocol 
and provides extensions supporting secure communications 
between the client browser and server systems. 

20 A particular server will typically implement both the SSL 
and SHTTP protocols and possibly others. This is necessary 
because of the internet architecture requiring a server to 
respond appropriately to a large number of client browsers 
with unspecified client software. Servers with limited pro- 

25 tocol support have limited usefulness. 

Web servers, such as those described above, access local 
and remote data. Companies have found that web servers 
and the internet (termed the "intranet" when use is limited to 

3Q a specific company or firm) provide an effective means for 
disseminating corporate data. This data is contained in 
corporate databases and often is managed by older legacy 
information systems. Enabling web access permits access to 
legacy data using modern graphical user interfaces and 

35 network tools without requiring the legacy system to be 
rewritten. The resulting connection of client browser, server 
and data systems is termed the "three tier system model." 
The tiers include the client, a "middle tier server" such as the 
web server, and "back-end" data and file system servers. The 

40 three tier model is illustrated in FIG. 1 generally at 100. 
The three tiered architecture 100 includes clients 102, 
104, 106, middle tier server 108 and back-end data reposi- 
tories 110, 112, and 114. The back-end data repositories 
include, but are not limited to: distributed file systems such 

45 as AFS, DFS, NFS; database servers such as IBM DB2, 
Microsoft SQLServer, Oracle or Informix database servers; 
Lotus Notes or Novel Groupwise groupware servers; or 
transaction management systems such as IBM CICS, IMS, 
or Transarc Encina systems. These back-end data sources are 

5 q connected to the middle tier server through a local or wide 
area network and are collectively called remote data reposi- 
tories. The term remote data repository includes data servers 
directly linked to the middle tier server through a switch or 
other interconnection device. Remote does not necessarily 

55 mean the data repository is geographically distant from the 
middle tier server. 

The client-server tiers are linked by networks 120,122 
that can include any combination of public or private data 
networks. The server-back-end tiers are connected by net- 

$o works 130 that can also include combinations of public or 
private data networks or direct communication links 
between the computers. 

Security between the client and server systems is man- 
aged using the SSL or SHTTP protocols discussed above. 

65 Most of the remote data repositories will, however, have 
their own security and authentication requirements. Each of 
the back-end systems may have a unique authentication 
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scheme. Access to a particular data repository is dependent It is yet another object of the invention to eliminate 
upon client access level. In most cases, an installation will repeated requests for authentication from a server once a 
not wish to allow a server to have unrestricted access to all client has been authenticated for a data repository, 
remote data sources without individual client authentication. h ^ t object of me mvention to ^1 remote 

A technical problem therefore exists in providing autho- 5 file system drive access by enforcing mount authentication 
rization control between a server and remote data reposito- before permitting client access t0 pre viously mounted 
nes in a three tier client/server architecture. remQte fik ms 

Existing solutions to this problem require each user at a ~- - . .... e * 
client workstation to authenticate with the remote data IJe foregomg and other objects features and advantages 

repository he or she seeks to access. The server software will 10 of the mvention will be apparent from the following more 
recognize when authorization is required and will request particular description of a preferred embodiment of the 
authorization credentials from the client user. The client will invention, as illustrated in the accompanying drawing 
enter the credentials and these will be passed through the wherein like reference numbers represent like parts of the 
server to the remote data repository for validation. If invention, 
validated, the data requested will be provided. 

One problem with this approach is the stateless query- 15 BRIEF DESCRIPTION OF THE DRAWING 

response nature of client-server access. The remote data FIG. 1 is a block diagram of a three tier distributed 
repository does not maintain a specified link with each computer system according to the present invention, 
client. Once requested data has been provided, the data - . , , . - 

repository "forgets" about the client. Thus, a subsequent F * G * 2 * a b ! ock dia S ram of a computer system according 

access by the same client will require repeated 20 10 the P resent inventl0n - 

authentication/validation. Existing systems attempt to solve FIG. 3 is an illustration of a security hash table according 
this problem by having the client system retain the security to the present invention. 

credentials, for example, in local client cache, which can fig. 4 is a flow chart illustrating the process steps of a 
then be supplied to the server and data repository upon parl of the present invention. 

demand transparently to the user. This has the disadvantage 25 ~„ _ . „ . t .„ t . . ^ - 

of increasing network traffic between the server and client as FIG , 5 * a f fl ° w charl ^ustmung the process steps of a 
each authentication demand must be passed by the server to second P arl of the P resent m™**"»>- 
the client and answered from the local client data. Since each DETAILED DESCRIPTION 

transaction requires reauthorization this can be a significant 

performance penalty. This penalty is made even more evi- 30 The preferred embodiment of the present invention is 
dent to the user because client systems are often connected practiced in a three tier distributed processing architecture, 
to the network through relatively slow modems. The present invention, however, can be practiced in any 

Thus, the technical problem remains of providing authen- multitiered distributed processing environment with two, 
tication control between a server and remote data repository three or more tiers. In such a multitiered environment, the 

while limiting the message traffic between the server and the 35 client credentials will be stored a designated server. In a two 
client. A further problem is to provide such a system that is tiered system, the present invention offers a means to 
able to support multiple client-server security protocols and in crease security and simplify credential manapemenL hy. 
multiple (and different) remote data repository authentica- augmentin gexistin^ security and authentication schemes , 
tion protocols. ihe present invention is directed to a computer system, 

SUMMARY OF THE INVENTION 40 computer implemented method, and computer program 

The present invention is directed to providing a system, product for managing security authentication in a multitiered 
method and computer program product enabling client networked computer environment. The preferred embodi- 
authentication with a server and single authentication of the naent of the invention is practiced on an IBM Personal 
client to a remote data repository, including distributed file Computer such as the IBM PC/700 having an Intel micro- 
system, database manager or transaction management sys- 45 processor. Alternatively, the invention can be practiced using 
tem. The present invention enhances the middle tier server a workstation or server such as the IBM RS/6000 Server or 
with back-end authentication management features includ- similar servers from Sun Microsystems or Hewlett-Packard, 
ing credential caching. These enhancements permit multiple The server is under the control of an operating system such 
client access to multiple remote data repositories while as the IBM OS/2, IBM AIX, Sun Solaris, Microsoft Win- 
eliminating the need for the client to authenticate with the 50 dows NT, or Hewlett-Packard HP-UX operating system. The 
remote data repositories on each access. preferred embodiment uses the OS/2 operating system. A 

The present invention includes a computer implemented multitiered network will typically consist of many different 
method for managing security in a three tier networked computers and operating systems. 

computer system having multiple clients, a server, and one The basic structure of a server computer system according 

or more remote data repositories, the method including the 55 to the preferred embodiment of the present invention is 
steps of: authenticating client access to the serve r; intercept- shown in FIG. 2 at 200. Instruction processing and control 
ing in the server a cnent request tor access to a remote data is carried out by one or more processors 202. Random access 
repository; t esting for stored client credentials to access ths. memory 204 is accessible to the processors over system bus 
remote data"repositorv; if not found, requesting client ere- 205. Input/Output controller 206 is attached to the system 

^entials and validating the credentials with the remote data 60 bus and controls access to permanent storage 208 and 
repository, and storing the validated credentials; and j»ro-_ removable storage 210. Permanent storage includes* rotating 
c essinfl the request for accessing us inp; stored client creden- and static memory devices that store data magnetically or 

JjSls. optically. Removable media 210 can include magnetic disks 

It is therefore an object of the present invention to or diskettes, and optical CD-ROM disks. User interaction is 

eliminate client-remote data repository authentication for all 65 supported through keyboard 212, graphic display 216 and 
but the first access to the remote data repository by the client pointing device 214. Computer system 200 is connected to 
in a session. a network through communications controller 220. The 
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network can operate according to any known or newly transmission. If authentication fails or the systems cannot 
discovered protocol, including ethernet, token ring, and negotiate an acceptable encryption algorithm, then the con- 
asynchronous transfer mode. nection creation attempt fails. Hypertext Transfer Protocol 
The client systems using the present invention can be of (HTTP) support is layered on top of SSL to provide secure 
similar configuration. They may, however, also comprise 5 internet transactions. SSL was originally designed to authen- 
network computers without permanent or removable stor- ticate only the server. Later versions of SSL add client 
age. Back-end data repository servers and remote file sys- authentication 

terns wiU typically have large permanent and removable Secure H pert6Xt Xransfcr Protocol (SHTrp) clien , 

storage capaoty and wUl frequently include , multiple pro- also rted in , he V eferred ^ mbodi . 

cessors 202 in a symmetric multiprocessing (SMP) or clus- M mem sHTTP was designed to provide secure communica- 

tered configuration. Such back-end servers provide the ^ ^ ^ SHTTP, in contrast 

cfontt stems " to SSI, was originally designed to support symmetrical 

_ ^ authentication between the client and server. This protocol is 

The middle tier server according to the present invention aQ extension of the unsecure HTTP tocol and ides 

will be described in greater detail with reference to FIG. 1. 15 flexibility in choosing key management mechanisms, secu- 

Server 108 includes software to manage client requests for rfl m and CTyptographic a i gorithm SU pp 0r t through a 

data or other services. Standard server software, such as an negotiation process belween the client and server for each 

IBM Internet Connection Server (ICS) or a Lotus Go transaction. Both parties can express their requirements and 

Domno server, 150 accepts chent requests, interprets them, pre ferences as to the cryptographic enhancements they wilt 

and formats and send the necessary response. Standard 20 permit or require from the other party. The finally selected 

remote data repository is provided through remote data options form the negotiated cryptographic agreement known 

repository clients 152, 154, 155. Each of these clients as the CRYPOPTS between the parties. Once set, real data 

supports access to a particular type of data repository. For transmission begin. 

example, client 152 may support access to an IBM DB2 ™ . . . , . . 

, . r c u-i i- * _* * The present invention introduces a server to back-end 

Database Server, while client 154 supports access to a 7 c , Aj . A . 

t ri . JU T^- * -l . i n-i o . credential management function 160. Webserver 150 will be 

remote file system managed by a Distributed File System j • £ z. L i_ i_ j 

/ncc v . i aj^%- i u i a • i a modified in software or through hardware, to support cre- 

(DFS) protocol. Additional back-end servers can include, , 4 r™ C) 

t „ XT 4 /^t^o , dentiai management. The file system gateways, 152, 154. 

Lotus Notes groupware servers, CI CS transaction servers, . * n, 1 

\m- f«o/T,To a *u r> u * c *ii 155 are also modined to intercept file system requests and 

Microsoft SQLServers. and others. Each type of server will AA AA ... 4 4 . . , ; . -.^ 

, . • *t. * *- • . attempt to validate them using credential management 160. 

have an associated client managing the interaction between ™ — . . ■ • . *™ • 7.^ , 

the server software 150 and the remote data repository. ™ e ™ to d f repository client API is modified to add 

Server software 150 can be web server software or other su PP ort f ?. r exchan^ng session information with the file 

server software such as Windows NT, Novell Netware, or C ^ B *: C ^T mana S eme °> ca " delude Ihe 

tt>* jt r c p*. separate function 160 that is accessed by all of the data 

IBM Lan Server sottware. r . .. 4 . , J , ,. . . 

~. ... , - , , . repository clients, or, in an alternate embodiment, this 

Chert aumonzation to use > the server js managed by the 35 additional function can be included in each of the file system 

server software 150 either directly or through a separate clients 

security server. The creation of a secure client/server session „ ' 4 . . * . 

. j ^ . c Credential management according to the present inven- 

can be managed using any of a number of security manage- . , , , r f . / 

o„ct«Jt Tk» Zr„/„„„A am u n A man * ~e «vL * » tion employs a hash table for secure back-end server access, 

ment systems, Ine preferred embodiment ot the present ~, , \_ t v. . . , , - . . 

V . * *u ppt mrrm The hash table mcludes the folio wing data elements: 

invention enables a client to use either the SSL or SHTTP 40 

secure network protocol. The process of establishing a 

secure connection is described in greater detail below. User 



autho rization is validated at the server using, an aut hentica- user id The user id recognized by the dss Security 

tion service. The preierrea embodiment employs tne liJfvI Services 

SlStJUTuleTlieCUrity Services (DSS) product that imple- 45 Distinguished Name The Distinguished Name provided by the 
Vf n r*- * -i_ ^ 1 n ' * Certificate Authority (CA) which issues the 

ments the X/Open Distributed Computing Environment certificate to the clint/sc™ for shtit u.c. 

(DCE) security model. Use of a separate security server Session ID The numeric ID generated by an SSL server to 

reduces the authentication workload Of the web server. identify a particular browser client to which a 

Initial aut horization of the client user causes the security security session has been established (SSL). 

; : 1 — tr~ r= — iL Credentials/Password A pointer to a credentials file managed on disk 

se^ver to return credentials for multiple applic ations if they 50 by the dss client, or simply the password 

are availa ble. Th e single request will cause the sec urity depending on the requirements for 

serv er to Unci aficTreturn all _app iicab le^£ redentials for tha t authenticating the user. 

uscrTThese c redentials are then stored: according to the Access List of drives or mount P™ 15 10 which access 

__ 1 -r- -: : ~r ■ i_ -rm trr- — has been authorized on remote file system 

TJresenti nyention. m the security hash table enabling the use r 

^TScces sthe identified apphcations wi thout further authe n- 55 

^atioa^ Support for secure protocols other than SSL and SHTTP 

The secure sockets layer (SSL) protocol is composed of can be incorporated by adding the data element that identi- 
two layers. The lowest level SSL Record Protocol is layered fies the secure client-server session to this table (i.e. that 
on a reliable transport protocol such as TCP/IP. The SSL correspond to the distinguished name for SHTTP). 

Record Protocol encapsulates various higher level protocols. 60 FIG. 3 contains an example of a table stored according to 
One of these is the SSL Handshake protocol that establishes the present invention. The hash table is stored in the server 
a secure session between the chent and server. During at 162 in random access memory. This embodiment imple- 
handshaking the client and server first authenticate each ments filtering and intercepting with cached credential data, 
other. Then they negotiate an encryption algorithm by Cached user hash table data is retained for a limited period 

exchanging information on the encryption preferred and 65 after which the authentication and validation must be 
supported until agreement is reached. Finally, the client and repeated. The length of the retention period depends on the 
server exchange encryption keys before beginning data amount of storage allocated and the level of client activity on 
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the server. In an alternate embodiment, the table is copied to In the absence of stored credentials, the server will 

persistent storage, such as a hard disk, so that it can be used attempt to locate credentials in the encrypted message or, 

over a reboot of the server. This persistent storage in the failing to find them, request the user ID and password from 

middle tier enables fault tolerance and client credential reuse the user 512. The credentials are authorized 514 leading to 

over longer periods of time. 5 an error message 518 if authentication fails. If successfully 

The process for managing remote data repository creden- authenticated 518, the credentials are used to update or 

tials is shown in FIGS. 4 and 5 which illustrate the flow of create a hash table entry 520 and are associated with the 

logic in response to an access request from an SSL(HTTPS) User ID and Distinguished Name 522 for file system access 

or SHTTP session respectively. 524. 

The process receives an SSL request for data access 402. 10 A security mechanism according to the present invention 

The normal SSL handshake protocol 404 (discussed above) provides logon coordination. This enables the client to 

is performed resulting in a secure session between the client authenticate once with the security server a nd havejhose 

and server. The client will provide a use rid and othe r ^creden tials used repeatedly without validation. A single 

required credelitial ^^ the session. A session ID is 4 seuiiity s*irW supporting multiple applications gives the 
assigne^Tc r T ffls~SSL communication session. The server" cucnt authenticated access to those multiple applications 

fi ext tests 4 0frj vhethe r the request requires remote data * wUljuut the overhead of repeated credential requests ancT 

repository oTnoTlfremote data repository is not required "^^tions. t his increases the responsiveness and through- " 

the nun-llle system request is processed 408 in accordance TJtrrofTnTserver. 

with the standard configuration remote file access mechanism of the present inven- 

If remote data repository is required, the SSL session id is 1Q iion t P r ™ des . control °yw access to remote file 

used to acce ss the hash table 1 62 to locitel ^e^uiy 2 ° s y stems than 15 currcDt * P? vided b * ^J^™£?? n 

sfoTeo-trc^^ fi t^Tl 3 ,Th Sysl fi em H usm f ^ S °' DFS ' the 

r ... tj -.I rr — aXa file system is mounted as a specific drive letter on the server 

r mve n oTexp^, they are associat ed with the request 424 if the user has the authority 7 0 mount thal file system. The 

and used to process ttie remote dataSpository request 426. network me system (NFS) is a distributed file systera 

A failure to locate stored credentials causes the server first 25 manager developed by Sun Microsystems, Inc. The Distrib- 

attempt to locate a User ID and password in the encrypted uted File System (DFS) product is based on distributed file 

request message. I f no encrypted crede ntiajs ^are found, the system standards and has been developed and marketed by 

server pro mpts t he client user with a Eogin Form for a User the Transarc Corp. A subsequent different client access to 

il) and password to authenticate data repository access , 414. that drive letter would be permitted without checking 

The User ip and password from the request or the login 30 whether the new user has mount permission because the 

form are passed to a securitvlserver or remote data repository drive is already mounted. The present invention prohibits 
fo r authentication 41 6. Authentication can" be through,^ this secondary access to mounted drives. The accessed 

•Single security server sucrrasTEe" 1HM Distnbulea^cu rity drives for a user are maintained in the security hash table. An 
Services (DSS)"6r can be through the individual back-encL attempt to access an unlisted drive requires the user to 

s ervers. I f authentication fails, 418, an error message is ^ authenticate with the remote file system including testing 

7 returned to the user 420.^fte*suc cessful authentic ation, the whether or not the user has authority to mount that file 

H hash table e ntry according to the present invention iscreated system. 

^ orupaatecf322. The2ha5h~table entry for an SSL initiated The ability to control access to mounted drives increases 

' iransaction include stn e tfseTTD ot the client user, thTsSL security in a three or more tiered server system. It also 

session lb, the obtai ned credentials, and a list of drive letters 40 provides increased security in a two tiered client/server 

lo whiaraumo nzefl access is gran ted"; system with standard file server software (such as Windows 

Uient access using the SHTTP operates in a similar NT) instead of Web Server software, 

manner, with minor changes due to the different security Security hash table storage on the server enhances fault 

protocol. The process is shown in FIG. 5. The server tolerance and failure recovery in a clustered system. The 

recognizes the security protocol as SSL, SHTTP or other, 45 failure of the server handling a transaction can be recovered 

based on the protocol designator contained in the received by another server in the cluster that has access to the security 

URL (uniform resource locator.) hash table. This failover capability enables the client to be 

An incoming SHTTP request for server access is received logged on to new server on the basis of information stored 

502 by the server. The request causes initiation of encryption m tne hash table. Smooth failover is important in server 

negotiations with the client. The server can decide 504 to 50 clusters supporting large web sites. 

comply with the suggested CRYPTOPTS, reject the current The security hash table of the present invention supports ' 

options proposed by the client, or challenge the client before authentication between the server and the remote data 

making it decision (by issuing a NONCE message.) If an repositories without repeatedly querying the client system 

agreement is not reached, an error is returned to the client for credentials. An example of the operation of the system 

system 505. Agreement between the client and server causes 55 and method according to the invention is discussed with 

creation of a certificate that will be used throughout the respect to the hash table illustrated in FIG. 3. 

transaction to encrypt and decrypt messages. The request is User "michael" uses SHTTP to attempt to access drive G. 

next tested to determine whether or not remote data access The system of the present invention attempts to use the User 

is required 506. If not, the request is handled normally 507 ID andjiassword used for authentication with the server, lmd~ 

as a non-remote file system request. Remote data repository 60 to obtain jidditjgjiaJLs^^ repository credentials fro m 

access requirements cause the system to decrypt the certifi- The^secu nty server (e.gTuSS.) Once authenticated, the 

cate in the request to extract the client use rid and Distin- creTterltials returned are stored in the hash table in an entry 

guished Name (DN) and to use the userid to access the indexed by Michael's Distinguished Name (DN), i.e. "CN= 

security hash table to find any stored credentials 508. Michael, OU=Security, 0='IBM, PSP* 2, L«Austin, ST«TX, 

Existing credentials 510, if unexpired, are associated with 65 OUS." The credential, e.g. michael.cred and access drive 

the User ID and client Distinguished name 524 and used to information is stored as shown in the first row of the table 

process the remote data repository request 524. in FIG. 3. 
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Asecond user "sandy" uses SSL to attempt to access drive 
H. Since SSL is the security protocol, the SSL Session ID is 
used as the key to the hash table. The second entry in FIG. 
3 illustrates the data stored. 

If Michael attempts to access Drive H, the request will be 
denied because his entry permits access only to drive G. He 
will be required to authenticate with the file system having 
drive H before being permitted to proceed. 

Sandy could attempt to access the same remote drive 



throTEgfr^r Merent brows er usin g the sH li'F protocol. In trie 10 of: 
jjfererrea emoodimem, sne win oe permitted access because 
of the credentials associated w ith her u se rid and an add i- 
tional tab le entry will be created based oifher Disting uished 
r game.~ m an alternate emBodimem, her first entry would be 
updated to include her Distinguished Name instead of cre- 
ating a second entry. 

It will be understood from the foregoing description that 
various modifications and changes may be made in the 
preferred embodiment of the present invention without 
departing from its true spirit. It is intended that this descrip- 
tion is for purposes of illustration only and should not be 
construed in a limiting sense. The scope of this invention 
should be limited only by the language of the following 
claims. 
We claim: 

1. A computer implemented method for managing secu- 
rity in a multitiered networked computer system having 
multiple clients, a middle tier server, and one or more remote 
data repositories, the method including the steps of: 

authenticating client access to said middle tier server; 

intercepting in said server a client request for access to a 
remote data repository; 

tes^iiig_^gxstojredjdie jit credentials to access said j-emote 
data repo sitory ; 

if not found, requesting client credentials and validating 
said credentials with said remote data repository, and 
storing and associating said validated credentials with 
a client user identifier and a client session identifier; 
and 

processing saidjgquesL for accessi ng using stored client 
"^credentials^ ^ " ' 

2. The method of claim 1, wherein the step of authenti- 



8. The method of claim 1, wherein the remote data 
repository is a database server. 

9. The method of claim 1, wherein the remote data 
repository is a transaction processing system server. 

10. The method of claim 1, wherein the remote data 
repository is a groupware server. 

11. The method of claim 8, wherein the distributed file 
system protocol is NFS. 

12. The method of claim 1, further comprising the steps 



15 



20 



25 



30 



35 



40 



eating client access operates according to the secure sockets 
layer protocol (SSL) or the secure hypertext transfer proto- 
col (SHTTP). 

3. The method of claim 1, wherein the step of storing said 
validated credentials includes the steps of: 

creating a table entry containing a client user identifica- 
tion from said authenticating step, a client session 
identifier based on a method used for said 
authentication, the validated credentials, and the 
remote data repository access permitted; 

storing said table entry in a security table indexed by said 
client user identifier; 

updating an index based on said client user identifier. 

4. The method of claim 3, wherein the remote data 
repository access permitted is stored as a computer system 
drive letter. 

5. The method of claim 3, wherein the remote data 
repository access permitted is stored as a file system mount 
point. 

6. The method of claim 3, wherein the remote data 
repository is a distributed file system managed by a distrib- 
uted file system protocol. 

7. The method of claim 6, wherein the distributed file 
system protocol is DFS. 



45 



55 



60 



65 



sharing said stored client credentials with at least a second 

middle tier server; 
transferring a client session from said middle tier server to 
said second server having access to said stored client 
credentials without reauthorization from said client. 

13. A system for managing secure remote data repository 
access in a multitiered distributed network having a plurality 
of clients, a middle tier server, and one or more remote data 
repositories, the system comprising: 

storage means in said server for storing client credentials 
for access to one or more of said remote data reposi- 
tories; 

authentication means in said server for authenticating 

client access to said middle tier server; 
means for intercepting client remote data repository 

access requests; 
means for retrieving client authentication from said stor- 
age means in response to said means for intercepting; 
means for requesting client credentials from said client 
and validating said credentials with said one or more 
remote data repositories, if said means for retrieving is 
unable to locate stored client credentials for the 
requested remote data repository; and 
means for storing and associating validated client creden- 
tials with a client user identifier and a client session 
identifier in said storage means. 

14. The system of claim 13 wherein the authentication 
means includes secure socket layer authentication and 
secure hypertext transfer protocol authorization. 

15. The system of claim 13 wherein said means for storing 
includes: 

means for creating a client credential record including at 
least a client identifier, a session identifier, the validated 
credentials, and remote data repository access permit- 
ted; 

means for storing said client credential record in said 

storage means, and 
means for updating an index to said client credential 

record based on said client identifier. 

16. The system of claim 13, wherein said one or more 
remote data repositories include zero, one or more of a 
database server, a transaction processing system server, a 
groupware server, or a distributed file system server. 

17. A method of controlling access to mounted remote file 
systems in a computer system having a processor and 
storage means, the method including the steps of: 

intercepting a requester request to access a mounted 
remote file system; 

testing said request to determine whether stored remote 
file system mount permissions exist for said requester; 

if not, requesting credentials from said requester and 
validating them with the remote file system, and storing 
and associating the credentials with a client user iden- 
tifier and a client session identifier and a validated 
mounted file system reference; 
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if credentials exists, passing said request to said remote 
file system. 

18. The method of claim 17, wherein the mounted remote 
file system is mounted as a network drive letter and said 
validated mounted file system reference is said drive letter. 

19. A computer program product having a computer 
readable medium having computer program logic recorded 
thereon for managing security in a multitiered networked 
computer system having multiple clients, a middle tier 
server, and one or more remote data repositories, said 
computer program product comprising: 

computer program product means for authenticating cli- 
ent access to said middle tier server; 

computer program product means for intercepting in said 
server a client request for access to a remote data 
repository; 

computer program product means for testing for stored 

client credentials to access said remote data repository; 
computer program product means for requesting client 

credentials and validating said credentials with said 

remote data repository, and 
storing and associating said validated credentials with a 

client user identifier and a client section identifier, if no 

stored client credentials are found; and 
computer program product means for processing said 

request for accessing using stored client credentials. 
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20. The computer program product of claim 19, wherein 
the computer program product means for storing said vali- 
dated credentials includes: 

computer program product means for creating a table 
entry containing a client user identification from said 
authenticating, a client session identifier based on a 
method used for said authentication, the validated 
credentials, and the remote data repository access per- 
mitted; 

computer program product means for storing said table 
entry in a security table indexed by said client user 
identifier; and 

computer program product means for updating an index 
based on said client user identifier. 

21. The computer program product of claim 19, wherein 
the remote data repository is a database server. 

22. The computer program product of claim 19, wherein 
the remote data repository is a transaction processing system 
server. 

23. The computer program product of claim 19, wherein 
the remote data repository is a distributed file system man- 
aged by a distributed file system protocol. 

24. The computer program product of claim 19, wherein 
the remote data repository is a groupware server. 
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